Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

fs0ciety [by subzer0x0]
We believe that there is an SSH Password inside password protected ‘ZIP’ folder. Can you crack the ‘ZIP’ folder and get the SSH password?

The challenge

We start of by downloading the file and verifying it’s sha256sum with the hash displayed on the challenge page.

$ sha256sum 

We then proceed to unzip this file using the password provided on the challenge page. This will give us – the very similarly named –

$ unzip 
[] password: 

We check the contents of the zip file and notice that the file is password protected.

$ unzip -l 
  Length      Date    Time    Name
---------  ---------- -----   ----
      729  2017-08-15 17:44   sshcreds_datacenter.txt
---------                     -------
      729                     1 file

$ unzip 
[] sshcreds_datacenter.txt password: 
   skipping: sshcreds_datacenter.txt  incorrect password

Bruteforcing the zip password

First we create a hashfile of the zip which can then be fed to a password cracking tool, like john.

$ zip2john > /tmp/encrypted.hash
ver 2.0 PKZIP Encr: cmplen=335, decmplen=394, crc=1004499F
$ cat /tmp/encrypted.hash$pkzip2$1*1*2*0*c6*2d9*e126a116*0*35*8*c6*e126*8d9c*ee49af82113993a8062a3e309f126a6735d8fe7d6ca4382fdbd7aa6609b64411a43072212235835bb746967be74f4ea33014b695fe648799add3880671ae20caf3f854d73d6040dbb57f66db7328761e0cbecb85d5df465d4d4eabfee1fdbef6d9bbe2b6d86bc5bbdb2a30694181b7ec709c803022a7993fdca9234ebbabe54ec1dc118e49eff1faba92abd1eabcb1381d24139807604343caa2cf18359e3b7a594ed25d48805941deccf728f04fa4937a949c0c335344028a3f60eb74fc495e50f58ff8ad81*$/pkzip2$

We then proceed to cracking/bruteforcing the password using this hash file.

$ john /tmp/encrypted.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
justdoit         (
1g 0:00:00:00 DONE 2/3 (2019-08-22 15:58) 8.333g/s 398941p/s 398941c/s 398941C/s 123456..ferrises
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using the freshly discovered password justdoit we can now unzip

Decoding the SSH password

The content of the text file doesn’t look like a password. However, it does look very similar to a Base64 encoded string.

$ cat sshcreds_datacenter.txt 
Encrypted SSH credentials to access Blume ctOS : 



Base64 decoding the string, returns us a bunch of 1’s and 0’s, i.e. something that appears to be a blob of binary data.

01101001 01100110 01011111 01111001 00110000 01110101 01011111 01100011 01000000 01101110 01011111 00100100 01101101 00110011 01101100 01101100 01011111 01110111 01101000 01000000 01110100 01011111 01110100 01101000 00110011 01011111 01110010 00110000 01100011 01101011 01011111 01101001 01110011 01011111 01100011 00110000 00110000 01101011 01101001 01101110 01100111

We feed this data into a binary to text decoder (e.g. to retrieve the SSH password.


Note that HackTheBox has a certain syntax for flags, so you need to adjust this password to fit the flag requirements.